1. Technical Field
The invention relates generally to user identification. More particularly, the invention relates to allowing users to share pseudonyms instead of actual user names to protect the user's privacy and from unwanted emails, instant messages, etc.
2. Description of the Prior Art
In the modern Internet, accessibility to any real user name made public may compromise the user's privacy as well as open the user to unsolicited spam email, instant messages, etc. Because of this, it is very important to protect user identification. This is especially important in the environment of a federation network of Web services and its participants.
The problem of protecting a user's identify exists in both the user-to-service scenario and the user-to-user scenario. It should be appreciated that it is particularly difficult to protect user identity in the user-to-user case. For example, how can user Alice give user Bob access to Alice's Calendar service and at the same time protect both Alice's and Bob's identity from each other? Similarly, how can Alice establish a chat session with Bob without knowledge of Bob's real user name?
Loeb, Shoshana K. and Yacobi, Yacov, Security Method for Private Information Delivery and Filtering in Public Networks, U.S. Pat. No. 5,245,656 (Sep. 14, 1993) teach a technique that protects end-user privacy by insuring that no logical entity is aware of the end-user identity and also aware of the end-user profile and content of the information the end-user receives. A method for operating customized information services via a network comprising transmitting the identity U of an end-user station via the network to a name translator station. At the name translator station, the identity U of the end-user station is translated into a pseudonym U′. The pseudonym U′ is transmitted from the name translator station via the network to a filter station. The pseudonym U′ is transmitted from the filter station via the network to a service provider station. In response, the service provider station transmits to the filter station an encrypted information description describing information available from the service provider station. At the filter station, the encrypted information description is compared with an encrypted information profile of the end-user station to identify specific information to be transmitted from the service provider station to the end-user station. An indicator is then transmitted from the filter station to the service provider station indicating the specific information to be transmitted to the end-user station. The specific information is then transmitted via the name translator station to the end-user station in an encrypted form not accessible to the name translator station. The specific information is decrypted at the end-user station. Such teaching provides a rather complex workaround for protecting user identity.
Brands, Stefanus A., Privacy-Protected Transfer Of Electronic Information, U.S. Pat. No. 5,521,980 (May 28, 1996) and U.S. Pat. No. 5,604,805 (Feb. 18, 1997) teaches a cryptographic apparatus and means for each of three types of participants in an electronic system for privacy-protected transfer of certified information. Such disclosure reveals protocols for improving efficiency and security in such systems, and allows a variety of useful extensions in functionality without difficulty. This is achieved by a restrictive blind signature protocol in combination with a testing protocol. The restrictive blind signature protocol allows the certifying party to encode data into certified information that it provides to a receiving party, such that it cannot be altered or modified by the receiving party. The testing protocol enables parties to prove a variety of characteristics about the encoded data in their certified information.
Jay S. Walker, Bruce Schneier, and T. Scott Case, Method and System for Facilitating an Employment Search Incorporating User-Controlled Anonymous Communications, U.S. Pat. No. 5,884,270 (Mar. 16, 1999) and Method and System for Establishing and Maintaining User-Controlled Anonymous Communications, U.S. Pat. No. 5,884,272 (Mar. 16, 1999), teach a method and system for operating a computer system to facilitate an exchange of identities between two anonymous parties. The method and system are operative to receive from a first party first data including an identity of the first party and to receive from the first party at least two first-party rules for releasing the first data including a rule for releasing the identity of said first party. The system and method are further operative to receive from a second party a search request comprising at least one search criterion; receive from the second party second data including an identity of the second party; and receive from the second party at least two second-party rules for releasing the second party data including a rule for releasing the identity of the second party. The system and method are further operative to process said search request to determine if the first data satisfies the search criterion and if so, then exchanging the first and second data, except the identities of the first and second parties, between the first and second parties in accordance with the first-party and second-party rules. The system and method are further operative to transmit the identity of the first party to the second party after the exchanging step, upon satisfying the first-party rule for releasing the identity of the first party, and after the exchanging step, upon satisfying the second-party rule for releasing the identity of the second party, transmitting the identity of the second party to the first party.
Ralf Ch. Hauser and Gene Tsudik, Secure Anonymous Information Exchange in a Network, U.S. Pat. No. 6,061,789 (May 9, 2000) teaches that computer network management for electronic commerce requires technical implementations of business processes. The process addressed in the disclosure is a technical method for a communication in which two or more parties legitimately want to communicate anonymously, often before discussing a deal or closing a business, e.g. for anonymous bidding or auctioning in electronic commerce. Essentially, the method is described by a protocol, for safely exchanging data in a network that provides a public key infrastructure and an anonymous communication possibility between network users. It consists of a sequence of steps in which both sender (e.g. customer) and addressee (e.g. merchant) compose data sets (i.e., requests and replies) that are based on received data and/or prior knowledge. The data sets are enciphered to provide anonymity, and digitally signed to provide proof of the partner.
Ichikawa Haruhisa, Hisada Yusuke, and Ono Satoshi, Email Access Control Scheme for Communication Network Using Identification Concealment Mechanism, European Patent Number EP946022 (Sep. 9, 1999) teaches an email access control scheme capable of resolving problems of the real email address and enabling a unique identification of the identity of the user while concealing the user identification. A personalized access ticket containing a sender's identification and a recipient's identification in correspondence is to be presented by a sender who wishes to send an email to a recipient so as to specify the recipient as an intended destination of the email. Also taught are accesses between the sender and the recipient by verifying an access right of the sender with respect to the recipient according to the personalized access ticket at a secure communication service. Also, an official identification of each user by which each user is uniquely identifiable by a certification authority, and an anonymous identification of each user containing at least one fragment of the official identification are defined, and each user is identified by the anonymous identification of each user in communications for emails on a communication network.
Kohntopp, M. and Pfitzmann, A., Informational Self-Determination By Identity Management, IT+TI Informationstechnik und Technische Informatik (September 2001) teach an identity management system that enables the user to control the nature and amount of personal information released. Thus, it is an important building block for implementing both privacy protection and multilateral security. Described are requirements and solutions for a comprehensive, privacy enhancing identity management system, which is based on pseudonyms and includes the possible cooperation of all parties, involved. Finally, limitations and risks of such systems are discussed.
Clauss, S. and Kohntopp, M, Identity Management And Its Support Of Multilateral Security, Computer Networks (October 2001) describe an approach in developing an identity management system with respect to multilateral security. After examining digital pseudonyms and credentials as basic concepts of such a system, an introduction to technologies for multilateral security is given and an architecture which enables multilaterally secure communication is described. By means of different scenarios, requirements of an identity management system is shown, and an approach in developing an identity manager and its infrastructure is outlines. Finally, problems and risks of identity management systems which must be considered when using such a system are discussed.
Van Herreweghen, E., Secure Anonymous Signature-Based Transactions, Computer Security, 6th European Symposium on Research in Computer Security (2000) teaches that electronic commerce protocols often require users to reveal their identities and other information not necessary for reasons of security and that some applications such as contract signing are often argued to require a signer's authenticated identity; but this authentication may give the recipient a false feeling of security if certificate registration procedures do not guarantee a mapping to a liable person, or correctness of certificate data. A separation of identity from liability is proposed. Liability-aware certificates allow certificate issuers to make explicit which liabilities it takes with respect to the transaction, the certificate data or the signer's identity. Their use is illustrated in the design of a pseudonym service providing pseudonym certificates for secure anonymous transactions.
Bleichenbacher, D., Gabber, E., Gibbons, P. B., Matias, Y., and Mayer, A., On Secure And Pseudonymous Client-Relationships With Multiple Servers, Proceedings of the 3rd USENIX Workshop on Electronic Commerce (1998) introduces a cryptographic engine, Janus, that assists clients in establishing and maintaining secure and pseudonymous relationships with multiple servers. The setting is such that clients reside on a particular subnet (e.g. corporate intranet, ISP) and the servers reside anywhere on the Internet. The Janus engine allows for each client-server relationship to use either weak or strong authentication on each interaction. At the same time, each interaction preserves privacy by neither revealing a client's true identity (“modulo” the subnet) nor the set of servers with which a particular client interacts. Furthermore, clients do not need any secure long term memory, enabling scalability and mobility. The interaction model extends to allow servers to send data back to clients via e-mail at a later date. Hence, results complement the functionality of current network anonymity tools and remailers.
M. Freedman and R. Morris, Tarzan: A Peer-to-Peer Anonymizing Network Layer, CCS'02 (Nov. 18–22, 2002) teaches a peer-to-peer anonymous IP network overlay, and that apparently achieves its anonymity with layered encryption and multi-hop routing. The abstract states that Tarzan provides anonymity to either clients or servers, without requiring that both participate. It continues to state that in both cases, Tarzan uses a network address translator (NAT) to bridge between Tarzan hosts and oblivious Internet hosts.
A. Lysyanskaya, R. Rivest, and A. Sahai, Pseudonym Systems, MIT Laboratory for Computer Science (June 1999) discloses pseudonym systems which allow users to interact with multiple organizations anonymously using pseudonyms. The disclosure states that previous work in this area did not protect the system against dishonest users who collectively use their pseudonyms and credentials, i.e. share an identity, and that previous practical schemes also relied very heavily on the involvement of a trusted center. The disclosure further gives a formal definition of pseudonym systems where users are motivated not to share their identity, and in which the trusted center's involvement is minimal, and gives theoretical constructions for such systems based on any one-way function and presents a practical scheme.
It would be advantageous to provide and allow user-to-user and user-to-network services communication without compromising user identity. More specifically, it would be advantageous to provide an introduction scheme that provides a simple and secure way of establishing a user-to-user link, for example, on a federation network of Web services, without exposing real user names to other users' names or Web services, for example, by way of a pseudonym.